No, I cannot share data breaches with you

30 October 2015

If you’re reading this, it’s possible I directed you here with little more than a mere URL in my reply to you. It’s likely that you asked for data that has been breached from an online system. Perhaps it was your data you asked for, perhaps it was other people’s data you were seeking but regardless, the response is the same. No, I cannot.

In running Have I been pwned? (HIBP) I obviously come across a lot of data breaches with a lot of sensitive data. I understand that often people are worried about what data about themselves may have been exposed and they just want a copy of it. In fact, I understand it very well because I get bombarded by requests – more than I could possibly handle. The volume of requests aside, it’s frequently not a simple task to pull this data on a per individual basis, particularly given I lock it away out of easy reach (for obvious reasons).

Other times it’s people wanting to exchange breach data. This trading of sensitive, personal information is frequently done for malicious purposes. It will then be sold or commoditised in other ways which seek to exploit the misfortune of those who find themselves in the breach. This is not ok and you should carefully question your motives if this is you.

I appreciate that at times it’s people who have only research purposes in mind; perhaps they’re doing password analysis or drawing other insights from aggregated data, certainly I’ve done that many times myself in the past. But the problem is that not only must I rely on the word of whom is often a complete stranger, but if I was to redistribute the data then I would be complicit in its spread across the web.

I have always said no to these requests not only because I do not believe it’s in the best interests of the individuals who own the data, but because I put huge amounts of effort into ensuring I handle breaches as ethically as possible. Of course I myself am dependent on being able to obtain this data in the first place in order to be able to run HIBP and I’m conscious of the responsibility that entails. My focus remains on being able to continue doing what I’m doing and providing a service that helps victims of data breaches, not puts them at more risk.

Just in case it’s not entirely clear, let me provide some quick Q&As for you:

Q. I would like a copy of my data from a breach, can you please send it to me?

A. No, I cannot

Q. I have a breach I would like to give you in exchange for “your” breach, can you please send it to me?

A. No, I cannot

Q. I’m a security researcher who wants to do some analysis on the breach, can you please send it to me?

A. No, I cannot

Q. I’m making a searchable database of breaches; can you please send it to me?

A. No, I cannot

Q. I have another reason for wanting the data not already covered above, can you please send it to me?